|
IPROUTE2 - Load balance over two ISP connections breaks HTTPS
Hello forum;
I have (almost) successfuly set up a Linux router and load balancer, with IPROUTE2 and SQUID. Simplifying: I have two default routes, with equal wheight, and traffic is distributed in what seems a round-robin fashion. This also causes traffic directed to HTTPS servers to be sourced from diferent interfaces - and IP address - during the same session, which these servers won't tolerate, and expire the session. I thought I could fine tune route cache parameters in the kernel, to avoid route lookups during a certain period of time, but alas, route cache was removed from kernel since 3.10, which is what I use. I could force HTTPS traffic to always be directed through the same route, but that would defeat the load-balancing purpose. I haven't been able to Google anything helpful so far. Has anyone used such a setup and came across the same problem? Thanks you in advance for any pointers... -- Paulo |
I don't think you can split traffic in a single TCP session over two routes. You won't get in-order delivery, for one thing. You should be able to load balance traffic to different IPs.
|
Hi, and thank you for your response.
Perhaps my initial description was confusing, incomplete or both; The intention is to use a SQUID proxy server, for our users to browse the web. This proxy runs in a box on which I have configured policy routing to use two dynamicaly-configured Internet connections, each from a different ISP. By having two default routes, with equal wheight, SQUID's requests to websites are routed in a round-robin fashion through both links. The problem occurs when, during the same HTTPS session, packets arrive at the destination server from different source IPs, which causes some servers to immediatly expire the session and terminate it, which seems pretty sensible to me. I could force one of the default routes to be the prefered one, based on criteria such as client IP, protocol or destination server, but that would defeat the main purpose of evenly balancing web traffic through both links. I'm at a loss here, so any help will be very much appreciated... -- Paulo |
Hello again, forum;
As it turned out, I had to resort to different aproaches to find a solution. The one in place right now: - Using IPROUTE2, I 'divided' the Internet into two /1 subnets; depending on destination, a different routing table and thus default gateway will be used. - The shortfal of this 'solution' is that there will be no randomness in routes; same destination will always use the same gateway which might not distribute traffic evenly, as desired. The other one I tried but did not work: - Using NETFILTER, with the statistics module to mark every new ip connection with either '1' or '2' alternately, and then using different routing tables, based on fwmark. - Everything works as expected except when traffic returns through the second established route, where kernel returns "rtnetlink answers invalid cross-device link" and the packet is dropped. The second solution would be much more ellegant, but I'm at a loss as to why it doesn't work. My searching has been fruitless, so far. Any pointers are welcome. -- Paulo |
| All times are GMT -5. The time now is 10:57 PM. |